The Joint Certification Program (JCP) was established almost 40 years ago so US and Canadian contractors could access unclassified export controlled technical data. More recently, since November of 2020, organizations that are submitting or renewing their JCP application are required to have a documented NIST 800-171 Assessment result within the Supplier Performance Risk System (SPRS). Since the JCP needs to be renewed every 5 years, many organizations are facing this new requirement for the first time, and aren’t sure what to do.

What is a NIST 800-171 Assessment?

A NIST 800-171 Gap Assessment will evaluate your organization’s security posture against the 110 controls (and 320 Assessment Objectives) found in the NIST 800-171 standard. These 110 controls are divided into 14 different families covering different parts of an organization’s security posture.

The 14 NIST 800-171 families are:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

How do you conduct a NIST 800-171 Assessment?

Conducting a gap assessment is as simple as going through each control, and determining if your organization has fully implemented it. Every control in the NIST 800-171 standard has a point value assigned to it, 1, 3 ,or 5 points. 

How do you score your NIST 800-171 Assessment?

The scoring for the assessment is very different than most people are used to. The highest possible score of 110 points is where you start with the assessment, and for every control that is not fully implemented you subtract that control’s points. 

For example let’s say you are starting your assessment with the first control:

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

This control is worth 5 points, and an organization must have fully implemented the below 6 Assessment Objectives to keep those points. If even one of the Assessment Objectives are not implemented, than an organization must subtract those 5 points.

  • 3.1.1[a] authorized users are identified.
  • 3.1.1[b] processes acting on behalf of authorized users are identified.
  • 3.1.1[c] devices (and other systems) authorized to connect to the system are identified.
  • 3.1.1[d] system access is limited to authorized users.
  • 3.1.1[e] system access is limited to processes acting on behalf of authorized users.
  • 3.1.1[f] system access is limited to authorized devices (including other systems).

It is helpful when conducting an assessment to use a template with all of the points already assigned to each control. You can download our template here.

For all 320 Assessment Objectives that go with each control, you can access that here in the NIST 800-171 A standard.

You’ve Completed your Assessment…Now What?

Your organization has gone through every control and their corresponding Assessment Objectives, and you have your score. Are you ready to submit it to SPRS?

Not quite. Organizations must also have a System Security Plan to document how they have implemented those controls, and for any control that is not implemented, have a Plan of Action and Milestones showing how they will remediate that gap. While organizations do not, and should not upload those documents into the SPRS database, organizations will have to enter the date those documents became official.

Once an organization has these three items:

  • SPRS Score
  • System Security Plan
  • Plan of Action and Milestones

Then they are ready to submit their SPRS score and move forward with their JCP certification. Organizations should be aware that for most DoD contracts, organizations need to update their SPRS score every 3 years. 

How does this relate to CMMC?

Starting in Q1 of 2025, CMMC will officially be a requirement in DoD contracts. This means that organizations will need to have a perfect SPRS score, and pass a third party audit, before they will be able to win any new DoD contracts.

So, where should organizations start? Most of the time, we recommend an organization to get a true Gap Assessment from someone with experience in this field. Many times when organizations conduct their own Assessment, and overlook many areas of concern that auditors will fail them on.

Benefits of a Third-Party NIST 800-171 Gap Assessment

  • Objectivity and Expertise: Unbiased evaluation by cybersecurity experts.
  • Efficiency and Focus: Streamlined assessment, allowing internal teams to focus on core business.
  • Risk Mitigation: Identifies and addresses vulnerabilities to protect sensitive data.
  • Compliance Assurance: Ensures adherence to NIST 800-171 standards.
  • Improved Security Posture: Strengthens overall security through expert recommendations.

Don’t let the complexities of NIST 800-171 overwhelm your organization. The FirstCall Consulting team has successfully helped hundreds of companies through the assessment process. We understand the challenges you face and can provide tailored solutions to address your specific needs. 

Take the first step towards getting your JCP certification and set yourself up for future CMMC success. Contact us today for a comprehensive NIST 800-171 gap assessment.

Published On: August 29th, 2024 / Categories: CMMC /

Subscribe To Receive The Latest News

Looking to keep a finger on the pulse of SAP advancements? Subscribe to our FirstCall newsletter. It’s not just an update—it’s your insider access to SAP secrets, expert analyses, and the freshest trends. All thoughtfully curated and delivered to your inbox.